| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-5631 | Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine.
In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session.
The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.
References
|
| CVE-2023-5631 | Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability | primary_impact | T1059.007 | JavaScript |
Comments
This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine.
In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session.
The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.
References
|
| CVE-2023-5631 | Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability | exploitation_technique | T1204.001 | Malicious Link |
Comments
This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine.
In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session.
The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.
References
|